Menu
Browse

Cyber Threat Actor: Shadow Kill Group

Aliases: 3 aliases
Actor Type Location Known Incidents
 Icon
Criminal
China
2 incidents
Profile

Shadow Kill Hackers,also known as Shadow Kill Group or Shadow Hackers, is a threat actor that has been publicly linked to cyber incidents in South Africa. Open‑source reporting indicates the group operates from China, although no further details about its infrastructure or internal structure have been disclosed. The actor is referenced by multiple aliases in news coverage of its activities, which helps analysts track the same entity across different reports.

The group’s known operations focus on municipal and utility targets within the Johannesburg area. In October 2019, Shadow Kill Hackers compromised the City of Johannesburg’s website and billing systems, leading to a shutdown of online services and a ransom demand of four Bitcoins, valued at approximately $30,000 at the time. A few months earlier, in July 2019, the same actor launched a ransomware attack against a major electricity supplier in Johannesburg, encrypting databases, applications, and network components and forcing the provider to take its IT systems offline. This disruption prevented over 250,000 pre‑paid customers from purchasing electricity and hampered response efforts to localized blackouts, although officials later confirmed that no customer data was exfiltrated. Both incidents involved explicit demands for payment in cryptocurrency to restore access, with no public confirmation of whether the ransom was paid.

Observed tactics, techniques, and procedures for Shadow Kill Hackers include the deployment of ransomware that encrypts critical data and the use of Bitcoin as the preferred payment method for extortion. No specific malware families, initial‑access vectors, or tooling details have been described in the available sources, so further technical characteristics remain undetermined. Public attribution does not establish a state nexus or affiliation with any known criminal consortium; the actor’s location in China is the only geographic clue provided. Consequently, the group's strategic objectives appear to be financially motivated, as evidenced by the ransom demands in both reported campaigns. No additional campaigns or operational details are available in the current material.

Incidents
Attributed incidents available to members
2 incidents
Sources
Sources available to members
1 source